Insecure Random Number Generator in Progress DataDirect Connect for ODBC with Oracle Advanced Security Encryption
CVE-2023-34363

5.9MEDIUM

Key Information:

Vendor: Progress
Status: Datadirect Odbc Oracle Wire Protocol Driver
Vendor: CVE Published:; 9 June 2023

What is CVE-2023-34363?

An issue has been identified in Progress DataDirect Connect for ODBC prior to version 08.02.2770 when utilizing Oracle Advanced Security (OAS) encryption. If an error occurs during the initialization of the encryption object, the system defaults to a less secure encryption mechanism that employs a flawed random number generator for key generation. This vulnerability exposes the potential for attackers to anticipate and predict the private key, thereby compromising the ability to securely encrypt data transmitted between the driver and the database server. This flaw is not present when using SSL/TLS encryption.

References

https://progress.com

https://community.progress.com/s/article/Security-vulnera...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2023
Vulnerability Reserved
Jun 2, 2023